Solved: How to extract the fields for the Multiline- Each ...

rajeswariramar · ‎01-03-2018

I'm having problem with a multi-line field extraction which I have been struggling to figure out.

Below the log files ..

2018-01-02T13:28:19,420|[http-nio-8181-exec-7]|INFO|VM2|RestController|9E6D1D1CCEB59143C66A3A3FBC050692|5c191357-c436-4577-8896-ab983997cb65|1323574285.736696.48319626.2018167121.17362971%40-1983397168.17368709|TEST02|Normal|A02|2265|14388|147213326|null|SUCCESS|Multipart

i m trying to extract the Fields Date, VM, and from user id (TEST01,TEST02) all the fields. for the first line is not matching with other 2 lines.. so i m trying to get the details sing below query but i m not getting Proper Result.

^(?P[^|]+)[^]\n]]|\w+|(?P\w+)(?:[^|\n]|){5}(?P[^|]+)

for the first line instead of user id TESTC01 its extracting next vale as "Normal".

Can yo please help me to extract the fields for the uneven lines log files

mayurr98 · ‎01-04-2018

hey try this!!

| rex field=_raw "^(?P<date>[^\|]+)\|\[.*\]\|\w+\|(?P<VM>\w+)((.*\.\d+\|)|(.*\-\w+\|))(?P<user_id>[^\|]+)"

let me know if this helps you!

View solution in original post

mayurr98 · ‎01-04-2018

hey try this!!

| rex field=_raw "^(?P<date>[^\|]+)\|\[.*\]\|\w+\|(?P<VM>\w+)((.*\.\d+\|)|(.*\-\w+\|))(?P<user_id>[^\|]+)"

let me know if this helps you!

rajeswariramar · ‎01-04-2018

thank you so much .. the above is working fine

p_gurav · ‎01-04-2018

Hi rajeswariramar,

Try to use auto-field-extractor with delimiter "|" instead of regex.

mayurr98 · ‎01-04-2018

can you put your regex in 101010 sample code? as it is not properly showing

rajeswariramar · ‎01-04-2018

^(?P<TimeFrame>[^|]+)[^]\n]]|\w+|(?P<*VM>\w+)(?:[^|\n]|){5}(?P<*userid>[^|]+)

How to extract the fields for the Multiline- Each line has different Formats

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team